{"api_version":"1","generated_at":"2026-05-12T19:41:32+00:00","cve":"CVE-2026-3356","urls":{"html":"https://cve.report/CVE-2026-3356","api":"https://cve.report/api/cve/CVE-2026-3356.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3356","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3356"},"summary":{"title":"Missing Authentication for Critical Function vulnerability in Anritsu Remote Spectrum Monitor","description":"The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.","state":"PUBLISHED","assigner":"icscert","published_at":"2026-03-31 19:16:28","updated_at":"2026-04-01 14:23:37"},"problem_types":["CWE-306","CWE-306 CWE-306 Missing authentication for critical function"],"metrics":[{"version":"4.0","source":"ics-cert@hq.dhs.gov","type":"Secondary","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-01","name":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-01","refsource":"ics-cert@hq.dhs.gov","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3356","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3356","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Anritsu","product":"Remote Spectrum Monitor MS27100A","version":"affected All versions custom","platforms":[]},{"source":"CNA","vendor":"Anritsu","product":"Remote Spectrum Monitor MS27101A","version":"affected All versions custom","platforms":[]},{"source":"CNA","vendor":"Anritsu","product":"Remote Spectrum Monitor MS27102A","version":"affected All versions custom","platforms":[]},{"source":"CNA","vendor":"Anritsu","product":"Remote Spectrum Monitor MS27103A","version":"affected All versions custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.\n\n\n\nUsers can contact Anritsu Technical Support (1-800-267-4878) for more information.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Souvik Kandar","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"3356","cve":"CVE-2026-3356","epss":"0.000650000","percentile":"0.201020000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3356","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-01T13:43:38.631220Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-01T13:43:44.724Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Remote Spectrum Monitor MS27100A","vendor":"Anritsu","versions":[{"status":"affected","version":"All versions","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Remote Spectrum Monitor MS27101A","vendor":"Anritsu","versions":[{"status":"affected","version":"All versions","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Remote Spectrum Monitor MS27102A","vendor":"Anritsu","versions":[{"status":"affected","version":"All versions","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Remote Spectrum Monitor MS27103A","vendor":"Anritsu","versions":[{"status":"affected","version":"All versions","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"Souvik Kandar"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.&nbsp;<br>"}],"value":"The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing authentication for critical function","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-31T18:40:17.359Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-01"}],"source":{"discovery":"UNKNOWN"},"title":"Missing Authentication for Critical Function vulnerability in Anritsu Remote Spectrum Monitor","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.\n<br>\n<br>Users can contact Anritsu Technical Support (1-800-267-4878) for more information."}],"value":"Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.\n\n\n\nUsers can contact Anritsu Technical Support (1-800-267-4878) for more information."}],"x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2026-3356","datePublished":"2026-03-31T18:40:17.359Z","dateReserved":"2026-02-27T18:08:31.007Z","dateUpdated":"2026-04-01T13:43:44.724Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-31 19:16:28","lastModifiedDate":"2026-04-01 14:23:37","problem_types":["CWE-306","CWE-306 CWE-306 Missing authentication for critical function"],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3356","Ordinal":"1","Title":"Missing Authentication for Critical Function vulnerability in An","CVE":"CVE-2026-3356","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3356","Ordinal":"1","NoteData":"The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.","Type":"Description","Title":"Missing Authentication for Critical Function vulnerability in An"}]}}}